Happy GDPR Day. Are You Ready?

So the day has finally arrived. GDPR is here. The EU General Data Protection Regulation comes into force today.

Unless you’ve been living under a rock for the past few months, you can hardly fail to have noticed the ever increasing deluge of emails urging everything from ‘Please Stay With Us’ to ‘Do You Love Me Enough To Click’ (yes, that actually happened). One UK newspaper even characterised the effect on many people’s inboxes as beginning to resemble the desperate last throes of a romance.

All joking aside, however, now that GDPR is finally here, what does that actually mean? Will the sword of Damocles fall on those who haven’t dotted every ‘i’ and crossed every ‘t’? Anecdotally, and according to numerous surveys, many organisations still feel unprepared for GDPR with a large number also expressing confusion as to what ‘readiness’ actually means in practical terms.

Regulators have been quick to point out that there is no grace period post May 25, while at the same time seeking to reassure anxious organisations that enforcement will be measured and proportionate. Each of the National Data Protection Authorities (DPAs) will have their own priorities, but the general thrust seems to be that proactive supervisory and enforcement activities will be targeted largely at organisations and sectors engaged in large scale data-processing activities that constitute a high risk.

That said, it should be noted that supervision and enforcement will also be driven by individual complaints and, as Andrea Jelinek, Chair of the European Data Protection Board (which coordinates all the EU DPAs), said earlier this week “I’m sure you won’t have to wait for a couple of months. I’m sure there will be complaints already on Friday.”

So, back to the headline question – are you ready? As the GDPR is a principles-based, technology-neutral regulation, readiness is not a simple tick box exercise, and many of the provisions within GDPR will continue to generate debate and differences of opinion as to interpretation in application until tested in the courts. The broad answer is that you should be able to demonstrate that your organisation is actively pursuing privacy policies that comply with the rights of data subjects, that the principles of data protection are respected, and that you are fully transparent in terms of the data you collect, the lawful basis in which it is processed, and the purpose(s) for which it is processed.

As the leading global public affairs and association management consultancy, Interel has not only been diligently preparing for GDPR internally, but has been actively helping its clients prepare. In particular, we have created a guide and a toolkit for the associations we manage to help them navigate GDPR compliance in a very practical way. We are happy to share the guide with you here.

At the end of the day, though, for all the advice, toolkits and check lists, GDPR compliance starts with a shift in mind set. As the Irish Data Protection Commission’s Deputy Commissioner, Dale Sunderland, said in a recent blog – “In the final analysis, the businesses and organisations leading the pack in navigating the requirements of the GDPR and meeting the GDPR standard will be those that are committed to data protection compliance at the top management level and who have proactively sought to build awareness and embed a data protection culture at all levels of the organisation.”